PHP provides two magic reference functions magic_quotes_gpc and magic_quotes_runtime that are convenient for us to quote data. If these two functions are set to ON in php.ini, they will encounter single quotes ', double quotes " and backslashes for the data we quote. The line is automatically added with a backslash to help us automatically translate symbols and ensure the correct operation of data operations. However, under different versions of PHP or different server configurations, some magic_quotes_gpc and magic_quotes_runtime are set to on, and some are set to on. off, so the program we write must comply with both on and off conditions. So what is the difference between the magic_quotes_gpc and magic_quotes_runtime functions? See the following description:
The scope ofmagic_quotes_gpc
is: WEB client server;
Time of action: The request starts, for example when the script is run.
Magic_quotes_runtime
scope: data read from a file or the result of executing exec() or obtained from a SQL query;
Action time: every time the script accesses data generated in the running state.
Therefore, the setting value of magic_quotes_gpc will affect the data obtained through Get/Post/Cookies; the setting value of magic_quotes_runtime will affect the data read from the file or the data obtained from the database query.
Example:
<form action="" method="post" >
STR:<input type="text" name="str">
<input type="submit">
</form>
<?php
/* We fill in the form: '" These symbols, if magic_quotes_gpc is not turned on, then they will not be escaped by backslashes*/
echo 'The value passed through POST now is:' ,$_POST['str'], '<br />';
if (get_magic_quotes_gpc()) { // Check whether magic_quotes_gpc is turned on. If not, use addslashes to convert righteous
$str = $_POST['str'];
} else {
$str = addslashes($_POST['str']);
}
echo 'Here is the escaped version:' ,$str, '<hr />';
$sql = "INSERT INTO lastnames (lastname) VALUES ('$str')";
//============================== ================================================== ======
//-----magic_quotes_gpc will only escape: www.devdao.com data obtained through Get/Post/Cookies
//-----magic_quotes_runtime will escape: data read from a file or the result of executing exec() or obtained from a SQL query
//================================================ =====================================
$data = implode(file('try.php')); // We still write the characters '" in it for testing
echo 'Here is the data of try.php,';
if (get_magic_quotes_runtime()) {
$data = $data;
echo 'escaped by the system' .$data;
} else {
echo 'escaped by addslashes' .$data = addslashes($data);
}
$sql = "INSERT INTO lastnames (lastname) VALUES ('$data')";
echo '<br />SQL statement is:<br />' ,$sql;
//---Everything is escaped when entering the database, but there are extra backslashes. When we want to read the original data, use stripslashes() to remove the backslashes.
//---stripslashes() and addslashes() have opposite effects
?>The most critical difference is the two points mentioned above: they target different processing objects. The setting value of magic_quotes_gpc will affect the data obtained through Get/Post/Cookies. The setting value of magic_quotes_runtime will affect reading from the file. The data obtained or the data obtained from the database query are mentioned here by the way: set_magic_quotes_runtime(): Set the magic_quotes_runtime value. 0=off. 1=on. The default state is closed. You can use echo phpinfo() ; Check magic_quotes_runtimeget_magic_quotes_gpc(): Check the magic_quotes_gpc value. 0 = Close. 1 = Open. get_magic_quotes_runtime (): Check the magic_quotes_runtime value. 0=off. 1=on. Note that there is no set_magic_quotes_gpc() function, that is, the value of magic_quotes_gpc cannot be set in the program.